US7779262B2 - Security method using electronic signature - Google Patents

Security method using electronic signature Download PDF

Info

Publication number
US7779262B2
US7779262B2 US11/411,926 US41192606A US7779262B2 US 7779262 B2 US7779262 B2 US 7779262B2 US 41192606 A US41192606 A US 41192606A US 7779262 B2 US7779262 B2 US 7779262B2
Authority
US
United States
Prior art keywords
value
signature
secret key
piece
terminal device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related, expires
Application number
US11/411,926
Other versions
US20060248339A1 (en
Inventor
Dae-youb Kim
Hwan-joon Kim
Maeng-Hee Sung
Weon-Il Jin
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Samsung Electronics Co Ltd
Original Assignee
Samsung Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Samsung Electronics Co Ltd filed Critical Samsung Electronics Co Ltd
Assigned to SAMSUNG ELECTRONICS CO., LTD. reassignment SAMSUNG ELECTRONICS CO., LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: JIN, WEON-IL, KIM, DAE-YOUB, KIM, HWAN-JOON, SUNG, MAENG-HEE
Publication of US20060248339A1 publication Critical patent/US20060248339A1/en
Application granted granted Critical
Publication of US7779262B2 publication Critical patent/US7779262B2/en
Expired - Fee Related legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F15/00Digital computers in general; Data processing equipment in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Definitions

  • the present invention relates to a security method using an electronic signature, and more particularly, to a security method using an electronic signature, which effectively authenticates a signature through a mediator and guarantees a forward security.
  • a security system is typically associated with an authentication system and a data encryption system.
  • the encryption system is generally classified into a secret key (referred to as ‘symmetric key’) system and a public key (referred to as ‘asymmetric key’) system.
  • the secret key system namely, the symmetric key system, uses the same key for encryption and decryption.
  • the secret key system it is necessary to keep the secrecy of a key in such a manner that only rightful persons know and possess a common secret key.
  • a public key based encryption scheme is widely used to perform an electronic signature.
  • Such an encryption scheme uses a pair of keys where one is public so that anyone may use it, whereas a private person keeps the other secretly.
  • the former is referred to as ‘public key’, whereas the latter is referred to as ‘secret key’.
  • the secret key is a key that a private person should sign to have it through a storage medium having a secret security function.
  • the public key is a key used when a verifier verifies a signature.
  • CA certificate authority
  • the public key certificate contains a public key, a valid period and a signature of the CA.
  • the CA authenticates a validity of the public key during a descried valid period.
  • a signature verifier should always confirm whether or not a corresponding certificate has been revoked.
  • the signature verifier should verify such a certificate revocation list (CRL) every time. For example, with regard to mobile communication, because the signature verifier uses a bandwidth to transmit data, transmission of the CRL requires great expense.
  • a mediated Rivest, Shamir, and Adelman (mRSA) digital signature scheme was suggested to solve such an economical problem and a confirmation problem of a certificate revocation.
  • FIG. 1 is a view that illustrates a conventional security method in an mRSA scheme.
  • a semi-trusted party (SEM) 30 is adopted as a mediator for mediating an authentication of a public key although the mRSA scheme is inferior to a CA 10 with respect to reliability.
  • the authority party 10 In the mRSA scheme, the authority party 10 generates a secret key d and a public key e.
  • the SEM 30 confirms whether or not a certificate used in the user terminal device 20 has been revoked. Only when the certificate has not been revoked, the SEM 30 performs a calculation operation.
  • the SEM 30 signs m at a transmitted hash value h using d s to calculate and transmit a signature value PS x ⁇ h d , mod n of the SEM 30 side to the user terminal device 20 .
  • the user terminal device 20 generates a signature and confirms a validity of the generated signature based on a signature value PS u ⁇ h d mod n of a user side calculated using d u and PS s from the SEM 30 .
  • the user terminal device 20 calculates h′ ⁇ PS e ⁇ (PS s *PS u ) e mod n.
  • h′ is identical with h
  • a forward security becomes an issue in a general electronic signature generating and verifying scheme. For example, in a case where a certificate was revoked in 2000, when a user wants to forge a document written in 1999, it is recognized as a valid public key certificate prior to a point of the revocation. Accordingly, a verifier cannot judge the validity of the document. A forward security can prevent such a problem.
  • the ‘weak’ means that a forward security problem may be solved when only one of d s and d u composed of a secret key is exposed.
  • the SEM is not perfectly reliable, the d s is a key having a possibility to be exposed.
  • an attacker of a system acquires d s during a period i, when the person conspires with a malicious user, they may easily acquire a necessary signature.
  • the above aspect of the present invention is substantially realized by providing a security method using an electronic signature, including the steps of: (a) generating a public key and an optional secret key composed of two kinds of pieces by a certificate authority in response to a request from a user terminal device; (b) issuing the secret key pieces to the user terminal device and a semi-trusted party not to be overlapped with each other; and (c) transmitting a first signature piece generated from the issued pieces of the private key to the user terminal device from the semi-trusted party when a certificate of the user terminal device is still valid.
  • the method may further include: (d) calculating the first signature piece and a second signature piece by the user terminal device to generate a signature value, the second signature is generated by a combination of an issued secret key piece and a predetermined value; and (e) confirming whether the signature value is valid.
  • the public key (e, w i ) may be an optimal number satisfying a condition given by 1 ⁇ e, w i ⁇ (n) under a condition of ⁇ e, w i
  • 1 ⁇ i ⁇ T ⁇ Z* ⁇ (n) , by calculating an equation n p*q (where, it is assumed that i is an optimal even number, p and q each is a predetermined prime number having
  • i represents an optional period when a time axis is divided by a predetermined time unit
  • T represents a maximum value of an interval time to update an electronic signature generating and verifying system.
  • the secret key generated by the certificate authority may be (d, v i ), which is given by equations d ⁇ e ⁇ 1 mod ⁇ (n) and v i ⁇ w i ⁇ 1 mod ⁇ (n).
  • the certificate authority calculates and issues a user's secret key value d 0,u during a first period, which is given by d 0,u ⁇ d u ⁇ e ⁇ T mod ⁇ (n) and a mediator's secret key value d 0,s during the first period, which is given by d 0,s ⁇ d s ⁇ e ⁇ T mod ⁇ (n), to the user terminal device and the semi-trusted party.
  • FIG. 1 is a view that illustrates a conventional security method in an mRSA scheme
  • FIG. 2 is a view showing a system for executing a security method using an electronic signature according to an exemplary embodiment of the present invention
  • FIG. 3 is a table showing effects of an exemplary embodiment of the present invention.
  • FIG. 4 is a flow chart illustrating a security method using an electronic signature according to an exemplary embodiment of the present invention.
  • FIG. 2 is a view showing a system for executing a security method using an electronic signature according to an exemplary embodiment of the present invention.
  • a security system includes a user terminal device 200 , a certificate authority (CA) 100 , and a semi-trusted party (SEM) 300 .
  • CA certificate authority
  • SEM semi-trusted party
  • the authority party 100 When a user requests the certificate authority 100 to register an electronic signature using the user terminal device 200 , the authority party 100 generates a public key composed of e and w i , and a secret key composed of d and v i .
  • the semi-trusted party 300 Since the semi-trusted party 300 has information related to a secret key piece d s of the user terminal device 200 , it is referred to as a “semi-trusted server”.
  • the certificate authority 100 issues the computed d o,u and d o,s to the user terminal device 200 and the semi-trusted party 300 , respectively.
  • the user terminal device 200 computes a user's secret key d u,i to be used in each period i using the issued d o,u .
  • the semi-trusted party 300 computes a mediator's secret key d s,i to be used in each period i using the issued d o,x .
  • the certificate authority 100 generates encryption keys by various computations.
  • the certificate authority 100 selectively generates two prime numbers p and q each having a size of
  • the certificate authority 100 selects different numbers e and w i that satisfy a condition given by 1 ⁇ e, w i ⁇ (n) under a condition of ⁇ e, w i
  • the certificate authority 100 calculates an equation 1 and an equation 2 to obtain d and v i , respectively.
  • the certificate authority 100 selects an optimal number d u ⁇ Z n ⁇ 0 ⁇ , and calculates an equation 3.
  • d s d ⁇ d u mod ⁇ ( n ) (3)
  • a user's secret key and a mediator's secret key of a real i period are d i,u and d i,s , respectively.
  • the certificate authority 100 should calculate d 0,u and d 0,s , ahead of computations of the d i,u and d i,s .
  • the certificate authority 100 calculates d 0,u and d 0,s by equations 4, respectively. d 0,u ⁇ d u ⁇ e ⁇ T mod ⁇ ( n ) d 0,s ⁇ d s ⁇ e ⁇ T mod ⁇ ( n ) (4)
  • the certificate authority 100 transmits the aforementioned calculated d 0,u to the user terminal device 200 , and transmits d 0,s and v i satisfying d 0,s , v i
  • the user terminal device 200 and the semi-trusted party 300 calculate a user's secret key value d i,u and a mediator's secret key value d i,s during an i period by using equations (5), respectively.
  • i is set as a period in a case that a time axis is divided by a predetermined time.
  • m represents that a user will sign
  • the semi-trusted party 300 first confirms whether or not a user's certificate was already revoked. When the user's certificate was already revoked, an issue of a token requested from the user stops. Prior to issuing the token, the semi-trusted party 300 confirms whether or not the user's certificate was revoked using a CRL, thereby saving a user's trouble.
  • the semi-trusted party 300 calculates a mediator's secret key value d i,s during an i period, and calculates a signature key for the semi-trusted party 300 during the i period as indicated by an equation 6.
  • k i,s d i,s *v i (6)
  • the semi-trusted party 300 calculates a token by using equations 7.
  • the semi-trusted party 300 transmits the calculated (PT i,s (m), PS i,s (m),) to the user terminal device 200 .
  • the calculated (PT i,s (m), PS i,s (m)) are referred to as a ‘signed token’, namely, a ‘first signature piece value’.
  • the user terminal device 200 calculates a user's secret key value d i,u .
  • the user terminal device 200 calculates a second signature piece value PS i,u (m) using an equation 8, and calculates an equation 9 to complete a signature value.
  • PS i ( m ) PS i,u ( m ) ⁇ PS i,s ( m )mod n (9)
  • h′ PS i ( m ) (e T ⁇ i+1 ⁇ w i ) mod n (10)
  • the user terminal device 200 compares h′ with h.
  • the user terminal device 200 stops an issue of a document.
  • the user terminal device 200 authorizes validating that PS i (m) satisfies equations 11 as a signature related to a message m during the i period.
  • the attacker needs three keys d i ⁇ 1, u , d i ⁇ 1, s , and v i ⁇ 1 in order to compare a signature.
  • v i and v i ⁇ 1 are not associated with each other. It is extremely difficult for the attacker to analogize the v i ⁇ 1 .
  • FIG. 3 is a table showing effects of an exemplary embodiment of the present invention.
  • a power calculation with respect to a user's key calculated by the user terminal device 200 is the same as that in a weak forward security scheme.
  • a power calculation of e i +(2 ⁇ v i ) in the semi-trusted party 300 needs two tokens. Since the semi-trusted party 300 is a central server, such a calculation is easy.
  • the semi-trusted party 300 should further store T secret keys V i .
  • a user selectively stores w i by using the user terminal device 200 .
  • a size of w i is relatively smaller than that of a secret key. Accordingly, an operation of the user terminal device 200 will be easy.
  • FIG. 4 is a flow chart illustrating a security method using an electronic signature according to an exemplary embodiment of the present invention.
  • the user terminal device 200 requests the certificate authority 100 to generate a key to be used in an electronic signature (step S 410 ).
  • the request for key generation from the user terminal device 200 is achieved through a registration request of a certificate at the certificate authority 100 .
  • the certificate authority 100 In response to the request for the key generation, the certificate authority 100 generates a public key composed of e and w i , and an optimal secret key composed of d and v i (step S 420 ).
  • d is divided into secret key pieces d u and d s .
  • the certificate authority 100 issues secret key pieces calculated based on the d u and d s to the user terminal device 200 and the semi-trusted party 300 , respectively (step S 430 ).
  • the semi-trusted party 300 confirms whether or not a user's certificate has been revoked (step S 440 ).
  • the semi-trusted party 300 stops the issuance of a key that a user requested.
  • the semi-trusted party 300 calculates a secret key piece to be used during a corresponding period using a secret key piece issued by the certificate authority 300 , and then calculates and transmits a first signature piece value (step S 450 ).
  • the first signature piece value includes signed tokens (PT i,s (m), PS i,s (m)) obtained by calculating the equation 7.
  • the user terminal device 200 calculates the equation 8 to obtain a second signature piece, and calculates the equation 9 to complete a signature value (step S 460 ).
  • the user terminal device 200 calculates the equation 10 to obtain h′. Moreover, the user terminal device 200 confirms a validity of a signature according to whether or not h′ coincides with a calculated h (step S 470 ). When h′ is identical to the calculated h, a verifier verifying the signature using the user terminal device 200 , accepts PS i (m) as a valid signature value.
  • a security subject with a forward security may be effectuated.
  • the security method using an electronic signature efficiently manages and authenticates using a mediator.
  • the security method of the present invention guarantees a forward security to prevent documents from being forged by including a selected key in a secret key piece constituting a secret key as an optional number, with the result that information may be effectively protected.

Abstract

A security method using an electronic signature, which improves the performance of an electronic signature authentication by generating and verifying an electronic signature using a mediator, and acquires a forward security in an electronic signature generation and verification by adding a forward secure signature of semi-trusted party (SEM) to a partial signature value generated based on a secret key piece of the SEM. A public key and an optional secret key composed of two kinds of pieces are generated by a certificate authority in response to a request from a user terminal device. The secret key pieces are issued to the user terminal device and a semi-trusted party not to be overlapped with each other. A first signature piece generated from the issued pieces of the private key is transmitted to the user terminal device from the semi-trusted party when a certificate of the user terminal device is still valid.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS
This application claims benefit under 35 U.S.C. §119 from Korean Patent Application No. 2005-35214 filed on Apr. 27, 2005, the entire content of which is incorporated herein by reference.
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to a security method using an electronic signature, and more particularly, to a security method using an electronic signature, which effectively authenticates a signature through a mediator and guarantees a forward security.
2. Description of the Related Art
A security system is typically associated with an authentication system and a data encryption system. Although there exists other systems, the encryption system is generally classified into a secret key (referred to as ‘symmetric key’) system and a public key (referred to as ‘asymmetric key’) system. The secret key system, namely, the symmetric key system, uses the same key for encryption and decryption. In the secret key system, it is necessary to keep the secrecy of a key in such a manner that only rightful persons know and possess a common secret key.
In general, a public key based encryption scheme is widely used to perform an electronic signature. Such an encryption scheme uses a pair of keys where one is public so that anyone may use it, whereas a private person keeps the other secretly. The former is referred to as ‘public key’, whereas the latter is referred to as ‘secret key’.
The secret key is a key that a private person should sign to have it through a storage medium having a secret security function. In contrast to this, the public key is a key used when a verifier verifies a signature.
Here, there is a problem in judging whether or not a verified public key is valid. To solve the problem, a certificate authority (CA) issues a public key certificate verifying the validity.
The public key certificate contains a public key, a valid period and a signature of the CA. The CA authenticates a validity of the public key during a descried valid period.
However, there may occur a case that even a certificate normally issued by the CA is revoked. In order to check the occurrence of the above-mentioned case, a signature verifier should always confirm whether or not a corresponding certificate has been revoked. There are problems in that the signature verifier should verify such a certificate revocation list (CRL) every time. For example, with regard to mobile communication, because the signature verifier uses a bandwidth to transmit data, transmission of the CRL requires great expense.
During a valid period, although a public key certificate is revoked at any time, since the time when the public key certificate is registered on the CRL coincides with an update time of a system, a deviation of a revocation time occurs.
A mediated Rivest, Shamir, and Adelman (mRSA) digital signature scheme was suggested to solve such an economical problem and a confirmation problem of a certificate revocation.
FIG. 1 is a view that illustrates a conventional security method in an mRSA scheme. With reference to FIG. 1, in the mRSA scheme, a semi-trusted party (SEM) 30 is adopted as a mediator for mediating an authentication of a public key although the mRSA scheme is inferior to a CA 10 with respect to reliability.
In the mRSA scheme, the authority party 10 generates a secret key d and a public key e. The secret key d is divided into a user key du to be used in the user terminal device 20 and a computation key ds to be used in the semi-trusted party 30. That is, the d, du, and ds have a relation satisfying the condition of d=du+ds. Only when two secret key pieces are present, a secret key to be used in an original signature is effected. When a user terminal device 20 wants to sign a signature, the user terminal 20 calculates and transmits a message hash value h to the SEM 30. Assuming that H is an appropriate hash function, h=H (m).
Next, the SEM 30 confirms whether or not a certificate used in the user terminal device 20 has been revoked. Only when the certificate has not been revoked, the SEM 30 performs a calculation operation. The SEM 30 signs m at a transmitted hash value h using ds to calculate and transmit a signature value PSx≡hd, mod n of the SEM 30 side to the user terminal device 20.
The user terminal device 20 generates a signature and confirms a validity of the generated signature based on a signature value PSu≡hd mod n of a user side calculated using du and PSs from the SEM 30.
That is, the user terminal device 20 calculates h′≡PSe≡(PSs*PSu)e mod n. When h′ is identical with h, the user terminal device 20 regards and uses PS (=PSs*PSu mod n) as a valid signature.
On the other hand, besides the aforementioned mRSA scheme, a forward security becomes an issue in a general electronic signature generating and verifying scheme. For example, in a case where a certificate was revoked in 2000, when a user wants to forge a document written in 1999, it is recognized as a valid public key certificate prior to a point of the revocation. Accordingly, a verifier cannot judge the validity of the document. A forward security can prevent such a problem.
In the aforementioned mRSA scheme, there are no ways to prevent all used secret keys ds and du from being exposed. So as to solve such a problem, a weak forward secure mRSA scheme has been suggested. Here, the ‘weak’ means that a forward security problem may be solved when only one of ds and du composed of a secret key is exposed.
However, the SEM is not perfectly reliable, the ds is a key having a possibility to be exposed. In a case that an attacker of a system acquires ds during a period i, when the person conspires with a malicious user, they may easily acquire a necessary signature.
As a result, once ds is exposed, since a necessary signature is able to be acquired through a conspiracy of the attacker and the user, the system is exposed in a defenseless state that causes the forward security not to be effective.
SUMMARY OF THE INVENTION
Accordingly, it is an aspect of the present invention to provide a security method using an electronic signature, which improves a performance of an electronic signature authentication by generating and verifying an electronic signature using a mediator, and acquires a forward security in an electronic signature generation and verification by adding a forward secure signature of an SEM to a partial signature value generated based on a secret key piece of the SEM.
The above aspect of the present invention is substantially realized by providing a security method using an electronic signature, including the steps of: (a) generating a public key and an optional secret key composed of two kinds of pieces by a certificate authority in response to a request from a user terminal device; (b) issuing the secret key pieces to the user terminal device and a semi-trusted party not to be overlapped with each other; and (c) transmitting a first signature piece generated from the issued pieces of the private key to the user terminal device from the semi-trusted party when a certificate of the user terminal device is still valid.
Preferably, but not necessarily, the method may further include: (d) calculating the first signature piece and a second signature piece by the user terminal device to generate a signature value, the second signature is generated by a combination of an issued secret key piece and a predetermined value; and (e) confirming whether the signature value is valid.
In the step (a), the public key (e, wi) may be an optimal number satisfying a condition given by 1<e, wi<Φ(n) under a condition of {e, wi|1≦i≦T}⊂Z*Φ(n), by calculating an equation n=p*q (where, it is assumed that i is an optimal even number, p and q each is a predetermined prime number having
i 2
bit, i represents an optional period when a time axis is divided by a predetermined time unit, and T represents a maximum value of an interval time to update an electronic signature generating and verifying system.
Also, in the step (a), the secret key generated by the certificate authority may be (d, vi), which is given by equations d≡e−1 mod Φ(n) and vi≡wi −1 mod Φ(n). Here, the method may further include the step of calculating a user's secret key piece value du and a mediator's secret key piece value ds, which is given by an equation ds=d−du mod Φ(n), where, it is satisfied that d=du+ds, and du is an optimal number satisfying a condition of duεZn−{0}.
In the step (b), the certificate authority calculates and issues a user's secret key value d0,u during a first period, which is given by d0,u≡du×e−T mod Φ(n) and a mediator's secret key value d0,s during the first period, which is given by d0,s≡ds×e−T mod Φ(n), to the user terminal device and the semi-trusted party.
Most preferably, the user terminal device may calculate a user's secret key value di, u during i period using the issued d0,u by an equation di,u=d0,u×ei, and the semi-trusted party calculates a mediator's secret key value di, s during i period using the issued d0,s by an equation di,s=d0,s×ei. The first signature piece value may be PTi,s (m) and PSi,s (m), which is given by PTi,s(m)=hv i and PSi,s(m)≡hk i,s , and the second signature piece value is PSi,u (m), which is given by PSi,u(m)≡PTi,s(m)d i,u modn, where, ki,s=di,s×vi, and h is a calculated value of H(m, i), and H is a hash function.
A signature value PSi may be calculated by an equation PSi(m)=PSi,u(m)×PSi,s(m)modn using the first signature piece value (PTi,s(m), PSi,s(m)) and the second signature piece value PSi,u(m). The step (e) may confirm whether the signature value is valid when h given by an equation h=H(m, i) by the semi-trusted party, where, H is a hash function, coincides with h′ given by an equation h′=PSi(m)(e T−i+1 ×w i )mod n.
BRIEF DESCRIPTION OF THE DRAWINGS
The above aspects of the present invention will be more apparent by describing certain exemplary embodiments of the present invention with reference to the accompanying drawings, in which:
FIG. 1 is a view that illustrates a conventional security method in an mRSA scheme;
FIG. 2 is a view showing a system for executing a security method using an electronic signature according to an exemplary embodiment of the present invention;
FIG. 3 is a table showing effects of an exemplary embodiment of the present invention; and
FIG. 4 is a flow chart illustrating a security method using an electronic signature according to an exemplary embodiment of the present invention.
 DETAILED DESCRIPTION OF THE EXEMPLARY EMBODIMENTS
An exemplary embodiment of the present invention will be described with reference to the accompanying drawings in detail. In other instances, well known features have not been described in detail so as not to obscure the present invention.
FIG. 2 is a view showing a system for executing a security method using an electronic signature according to an exemplary embodiment of the present invention.
Referring to FIG. 2, a security system according to an exemplary embodiment of the present invention includes a user terminal device 200, a certificate authority (CA) 100, and a semi-trusted party (SEM) 300.
When a user requests the certificate authority 100 to register an electronic signature using the user terminal device 200, the authority party 100 generates a public key composed of e and wi, and a secret key composed of d and vi. The d is a secret key piece, which is divided into a user key du computed by the user terminal device 200 and a computation key ds computed by the semi-trusted party 100. That is, the condition of d=du+ds is satisfied.
Since the semi-trusted party 300 has information related to a secret key piece ds of the user terminal device 200, it is referred to as a “semi-trusted server”.
The certificate authority 100 issues the computed do,u and do,s to the user terminal device 200 and the semi-trusted party 300, respectively. The user terminal device 200 computes a user's secret key du,i to be used in each period i using the issued do,u. The semi-trusted party 300 computes a mediator's secret key ds,i to be used in each period i using the issued do,x.
It is assumed that i is a sufficiently large even number. The certificate authority 100 generates encryption keys by various computations. The certificate authority 100 selectively generates two prime numbers p and q each having a size of
i 2
bit. The certificate authority 100 calculates an equation n=p*q.
The certificate authority 100 selects different numbers e and wi that satisfy a condition given by 1<e, wi<Φ(n) under a condition of {e, wi|1≦i≦T}⊂ZΦ(n)*, where i represents an optional period when a time axis is divided by a predetermined time unit, and T represents a maximum value of an interval time to update an electronic signature generating and verifying system.
The certificate authority 100 calculates an equation 1 and an equation 2 to obtain d and vi, respectively. A=B mod C means that a residue is A when B is divided by C. Φ(n) is an Euler's Phi function defined by a positive integer n, which is a function indicating the number of prime factors of n among positive integer number from 1 to n. For example, among 1, 2, 3, 4, 5, 6, prime factors of 6 are 2 and 3. In this case, Φ(6)=2.
d≡e −1 mod Φ(n)  (1)
v i ≡w i −1 mod Φ(n)  (2)
In a case that a time is divided in predetermined units, when a time before one unit of i period is i−1, there no rules between vi and vi−1. Accordingly, although one is found, a possibility to find the other is low.
Further, the certificate authority 100 selects an optimal number duεZn−{0}, and calculates an equation 3.
d s =d−d u mod Φ(n)  (3)
where d is a secret key piece, which is divided into a user key du computed by the user terminal device 200 and a computation key ds computed by the semi-trusted party 300. That is, the condition of d=du+ds is satisfied.
It is assumed that a user's secret key and a mediator's secret key of a real i period are di,u and di,s, respectively. The certificate authority 100 should calculate d0,u and d0,s, ahead of computations of the di,u and di,s. The certificate authority 100 calculates d0,u and d0,s by equations 4, respectively.
d 0,u ≡d u ×e −T mod Φ(n)
d 0,s ≡d s ×e −T mod Φ(n)  (4)
The certificate authority 100 transmits the aforementioned calculated d0,u to the user terminal device 200, and transmits d0,s and vi satisfying d0,s, vi|0≦i≦T to the semi-trusted party 300.
When i is set as a period in a case that a time axis is divided by a predetermined time, the user terminal device 200 and the semi-trusted party 300 calculate a user's secret key value di,u and a mediator's secret key value di,s during an i period by using equations (5), respectively.
d i,u =d 0,u ×e i
d i,s =d 0,s ×e i  (5)
It is assumed that i is set as a period in a case that a time axis is divided by a predetermined time. When a condition of 0≦i≦T is satisfied, and m represents that a user will sign, the user terminal device 200 calculates h=H(m, i), and transmits the calculated h to the semi-trusted party 300.
On the other hand, the semi-trusted party 300 first confirms whether or not a user's certificate was already revoked. When the user's certificate was already revoked, an issue of a token requested from the user stops. Prior to issuing the token, the semi-trusted party 300 confirms whether or not the user's certificate was revoked using a CRL, thereby saving a user's trouble.
The semi-trusted party 300 calculates a mediator's secret key value di,s during an i period, and calculates a signature key for the semi-trusted party 300 during the i period as indicated by an equation 6.
k i,s =d i,s *v i  (6)
Then, the semi-trusted party 300 calculates a token by using equations 7.
PS i,s(m)=h k i,s
PT i,s(m)=h v i   (7)
The semi-trusted party 300 transmits the calculated (PTi,s(m), PSi,s(m),) to the user terminal device 200. The calculated (PTi,s(m), PSi,s(m)) are referred to as a ‘signed token’, namely, a ‘first signature piece value’.
Further, the user terminal device 200 calculates a user's secret key value di,u.
On the other hand, the user terminal device 200 calculates a second signature piece value PSi,u(m) using an equation 8, and calculates an equation 9 to complete a signature value.
PS i,u(m)≡PT i,s(m)d i,u mod n  (8)
PS i(m)=PS i,u(mPS i,s(m)mod n  (9)
To authenticate a generated signature, the user terminal device 200 calculates an equation 10 to obtain h′.
h′=PS i(m)(e T−i+1 ×w i )mod n  (10)
Next, the user terminal device 200 compares h′ with h. When the h and h′ are different from each other, the user terminal device 200 stops an issue of a document. On the contrary, when h and h′ are identical with each other, the user terminal device 200 authorizes validating that PSi (m) satisfies equations 11 as a signature related to a message m during the i period.
P S i ( m ) ( P S i , s ( m ) × P S i , u ( m ) ) P S i = P S i , u × P S i , s = ( H ( m , i ) vi ) d i , u × ( H ( m , i ) v , i ) d i , s = H ( m , i ) ( d 0 , u × e i ) + ( d 0 , s × e i ) × vi = H ( m , i ) ( ( d 0 , u × e - T ) + ( d s × e - T ) ) × e i × vi = H ( m , i ) d × e i - T × vi ( 11 )
It is clear that equations 13 are satisfied when a valid signature is generated in accordance with an equation 12.
PS i(m)(e T=i+1 ×w i ) ≡H(m,i)mod n  (12)
It is assumed that a user's secret key value di,u during the i period, a mediator's secret key value di,s during the i period, and a time key value vi for the semi-trusted party 300 during the i period are exposed to an attacker.
The attacker needs three keys di−1, u, di−1, s, and vi−1 in order to compare a signature. However, as noted previously, since each of vi and vi−1 is an optimal number, they are not associated with each other. It is extremely difficult for the attacker to analogize the vi−1.
Even if the attacker calculates hd i−1,u ×d i−1,s mod n using equations 13 and 14, the attacker cannot easily compare a signature for a message m during i−1 period.
d s =d i,s ×e T−i
d u =d j,u ×e T−j  (13)
h=H(m,i−1)d  (14)
FIG. 3 is a table showing effects of an exemplary embodiment of the present invention. With reference to FIGS. 2 and 3, a power calculation with respect to a user's key calculated by the user terminal device 200 is the same as that in a weak forward security scheme. However, a power calculation of ei+(2×vi) in the semi-trusted party 300 needs two tokens. Since the semi-trusted party 300 is a central server, such a calculation is easy. For a forward security, the semi-trusted party 300 should further store T secret keys Vi.
A user selectively stores wi by using the user terminal device 200. However, a size of wi is relatively smaller than that of a secret key. Accordingly, an operation of the user terminal device 200 will be easy.
FIG. 4 is a flow chart illustrating a security method using an electronic signature according to an exemplary embodiment of the present invention.
Referring to FIGS. 2 and 4, the user terminal device 200 requests the certificate authority 100 to generate a key to be used in an electronic signature (step S410). The request for key generation from the user terminal device 200 is achieved through a registration request of a certificate at the certificate authority 100.
In response to the request for the key generation, the certificate authority 100 generates a public key composed of e and wi, and an optimal secret key composed of d and vi (step S420). Here, d is divided into secret key pieces du and ds.
Furthermore, the certificate authority 100 issues secret key pieces calculated based on the du and ds to the user terminal device 200 and the semi-trusted party 300, respectively (step S430).
On the other hand, the semi-trusted party 300 confirms whether or not a user's certificate has been revoked (step S440). When the user's certificate has been revoked, the semi-trusted party 300 stops the issuance of a key that a user requested.
When the user's certificate has not been revoked, the semi-trusted party 300 calculates a secret key piece to be used during a corresponding period using a secret key piece issued by the certificate authority 300, and then calculates and transmits a first signature piece value (step S450). Here, the first signature piece value includes signed tokens (PTi,s(m), PSi,s(m)) obtained by calculating the equation 7.
The user terminal device 200 calculates the equation 8 to obtain a second signature piece, and calculates the equation 9 to complete a signature value (step S460).
In order to authenticate a generated signature value, the user terminal device 200 calculates the equation 10 to obtain h′. Moreover, the user terminal device 200 confirms a validity of a signature according to whether or not h′ coincides with a calculated h (step S470). When h′ is identical to the calculated h, a verifier verifying the signature using the user terminal device 200, accepts PSi(m) as a valid signature value.
Through the aforementioned procedure, in a state that an attacker and a user conspire with each other, or many users conspire with each other, by including an optionally selected secret key piece in a secret key, a security subject with a forward security may be effectuated.
The foregoing embodiments are merely exemplary and are not to be construed as limiting the present invention. The present teaching can be readily applied to other types of apparatuses. Also, the description of the exemplary embodiments of the present invention is intended to be illustrative, and not to limit the scope of the claims, and many alternatives, modifications, and variations will be apparent to those skilled in the art.
As mentioned above, the security method using an electronic signature according to exemplary embodiments of the present invention efficiently manages and authenticates using a mediator. In addition, the security method of the present invention guarantees a forward security to prevent documents from being forged by including a selected key in a secret key piece constituting a secret key as an optional number, with the result that information may be effectively protected.

Claims (9)

1. A security method using an electronic signature, comprising:
(a) generating a public key and an secret key comprising two pieces of information which are independent of each other, by a certificate authority, in response to a request from a user terminal device, wherein the public key comprises a first public key value and a second public key value, and the secret key comprises a first secret key piece computed based on the first public key value and a second secret key piece computed based on the second public key value, and the first secret key piece is divided into a user's secret key and a mediator's secret key;
(b) issuing the two pieces of information the user's secret key to the user terminal device and the mediator's secret key and the second secret key piece to a semi-trusted party, respectively;
(c) transmitting a first signature piece generated from-based on the computation key and the second key piece the two issued pieces of information of the secret key, to the user terminal device from the semi-trusted party when a certificate of the user terminal device is still valid;
(d) utilizing the first signature piece and a second signature piece, by the user terminal device, to generate a signature value, the second signature piece being generated by a combination of the first signature piece an issued secret key piece and a predetermined value; and
(e) confirming whether the signature value is valid.
2. The method as claimed in claim 1, wherein in the operation (a), the public key (e, wi) is an optimal number satisfying a condition given by 1<e, wiφ(n) under a condition of {e, wi|1≦i≦T}Z*φ(n), by calculating an equation n=p*q, where, it is assumed that i is an optimal even number, p and q each is a predetermined prime number having
i 2
bits, i represents an period when a time axis is divided by a predetermined time unit, and T represents a maximum value of an interval time to update an electronic signature generating and verifying system,
wherein the first public key value is the value e, and the second public key value is the value wi.
3. The method as claimed in claim 2, wherein in the operation (a), the secret key generated by the certificate authority is (d, vi), which is given by equations d≡e−1 mod φ(n) and vi≡wi −1 mod φ(n),
wherein the first secret key piece is the value d, and the second secret key piece is the value vi.
4. The method as claimed in claim 3, further comprising:
calculating a user key du and a computation key ds, which is given by an equation ds=d−du mod Φ(n), where, it is satisfied that d=du+ds, and du is an optimal number satisfying a condition of duεZn−{0}.
5. The method as claimed in claim 4, wherein in the operation (b), the certificate authority calculates and issues the user's secret key value d0, u during a first period, which is given by d0,u≡du×e−T mod Φ(n), and the mediator's secret key value d0, s during the first period, which is given by d0, s≡ds×e−T mod Φ(n), to the user terminal device and the semi-trusted party.
6. The method as claimed in claim 4, wherein the user terminal device calculates a user's secret key value di, u during period i using the issued d0, u according to an equation di,u=d0,u×ei, and the semi-trusted party calculates a mediator's secret key value di, s during period i using the issued d0, s according to an equation di,s=d0,s×ei.
7. The method as claimed in claim 6, wherein the first signature piece value is PTi,s(m) and PSi,s(m), where PTi,s(m)=hv i and PSi,s(m)≡hk i,s , and the second signature piece value is PSi,u(m), where PSi,u(m)≡PTi,s(m)d i,u mod n, ki,s=di,s*vi, and h is a calculated value of H(m, i), H being a hash function.
8. The method as claimed in claim 7, wherein a signature value PSi is calculated by an equation PSi(m)=PSi,u(m)×PSi,s(m)mod n using the first signature piece value (PTi,s(m), PSi,s(m)) and the second signature piece value PSi,u(m).
9. The method as claimed in claim 8, wherein in operation (e), the semi-trusted party confirms whether the signature value is valid when h is determined by an equation h=H(m, i), H is a hash function, and h coincides with h′ given by an equation h′=PSi(m)(e T−i+1 ×w i )mod n.
US11/411,926 2005-04-27 2006-04-27 Security method using electronic signature Expired - Fee Related US7779262B2 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
KR2005-0035214 2005-04-27
KR10-2005-0035214 2005-04-27
KR1020050035214A KR100635280B1 (en) 2005-04-27 2005-04-27 Security method using electronic signature

Publications (2)

Publication Number Publication Date
US20060248339A1 US20060248339A1 (en) 2006-11-02
US7779262B2 true US7779262B2 (en) 2010-08-17

Family

ID=37235821

Family Applications (1)

Application Number Title Priority Date Filing Date
US11/411,926 Expired - Fee Related US7779262B2 (en) 2005-04-27 2006-04-27 Security method using electronic signature

Country Status (2)

Country Link
US (1) US7779262B2 (en)
KR (1) KR100635280B1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120227105A1 (en) * 2010-12-01 2012-09-06 Immunet Corporation Method and apparatus for detecting malicious software using machine learning techniques
US20130313736A1 (en) * 2007-11-20 2013-11-28 Clarcor Inc. Filtration medias, fine fibers under 100 nanometers, and methods
US8600061B2 (en) * 2011-06-24 2013-12-03 Broadcom Corporation Generating secure device secret key
US9218461B2 (en) 2010-12-01 2015-12-22 Cisco Technology, Inc. Method and apparatus for detecting malicious software through contextual convictions
US20180337773A1 (en) * 2017-05-19 2018-11-22 Fujitsu Limited Communication device and communication method

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080220441A1 (en) * 2001-05-16 2008-09-11 Birnbaum Eva R Advanced drug development and manufacturing
KR100670010B1 (en) * 2005-02-03 2007-01-19 삼성전자주식회사 The hybrid broadcast encryption method
US8341397B2 (en) * 2006-06-26 2012-12-25 Mlr, Llc Security system for handheld wireless devices using-time variable encryption keys
KR100843081B1 (en) 2006-12-06 2008-07-02 삼성전자주식회사 System and method for providing security
US8332922B2 (en) * 2007-08-31 2012-12-11 Microsoft Corporation Transferable restricted security tokens
KR102055751B1 (en) * 2015-02-06 2019-12-13 한국전자통신연구원 Apparatus and Method for Guaranteeing Communication Integrity Between Real-time Operating System Partitions

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030081785A1 (en) * 2001-08-13 2003-05-01 Dan Boneh Systems and methods for identity-based encryption and related cryptographic techniques
US20040010700A1 (en) * 2002-07-10 2004-01-15 Hewlett-Packard Development Company, L.P. Method and system for validating software code
US20040019779A1 (en) * 2002-07-18 2004-01-29 Harrison Keith Alexander Method and apparatus for securely transferring data
US20040073790A1 (en) * 2001-07-13 2004-04-15 Giuseppe Ateniese Intermediated delivery scheme for asymmetric fair exchange of electronic items
US20040252830A1 (en) * 2003-06-13 2004-12-16 Hewlett-Packard Development Company, L.P. Mediated RSA cryptographic method and system
US7529928B2 (en) * 1995-10-24 2009-05-05 Corestreet, Ltd. Certificate revocation system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7529928B2 (en) * 1995-10-24 2009-05-05 Corestreet, Ltd. Certificate revocation system
US20040073790A1 (en) * 2001-07-13 2004-04-15 Giuseppe Ateniese Intermediated delivery scheme for asymmetric fair exchange of electronic items
US20030081785A1 (en) * 2001-08-13 2003-05-01 Dan Boneh Systems and methods for identity-based encryption and related cryptographic techniques
US20040010700A1 (en) * 2002-07-10 2004-01-15 Hewlett-Packard Development Company, L.P. Method and system for validating software code
US20040019779A1 (en) * 2002-07-18 2004-01-29 Harrison Keith Alexander Method and apparatus for securely transferring data
US20040252830A1 (en) * 2003-06-13 2004-12-16 Hewlett-Packard Development Company, L.P. Mediated RSA cryptographic method and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Alfred J. Menezes, Handbook of applied cryptography, 1997, CRC Press LLC, pp. 3-7 of attached document. *
Gene Tsudik, Weak Forward Security in Mediated RSA, 2003, Springer-Verlag Berlin Heidelberg. *

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130313736A1 (en) * 2007-11-20 2013-11-28 Clarcor Inc. Filtration medias, fine fibers under 100 nanometers, and methods
US9101860B2 (en) * 2007-11-20 2015-08-11 Clarcor Inc. Filtration medias, fine fibers under 100 nanometers, and methods
US20120227105A1 (en) * 2010-12-01 2012-09-06 Immunet Corporation Method and apparatus for detecting malicious software using machine learning techniques
US8875286B2 (en) * 2010-12-01 2014-10-28 Cisco Technology, Inc. Method and apparatus for detecting malicious software using machine learning techniques
US20150026810A1 (en) * 2010-12-01 2015-01-22 Cisco Technology, Inc. Method and Apparatus for Detecting Malicious Software Using Machine Learning Techniques
US9088601B2 (en) 2010-12-01 2015-07-21 Cisco Technology, Inc. Method and apparatus for detecting malicious software through contextual convictions, generic signatures and machine learning techniques
US9203854B2 (en) * 2010-12-01 2015-12-01 Cisco Technology, Inc. Method and apparatus for detecting malicious software using machine learning techniques
US9218461B2 (en) 2010-12-01 2015-12-22 Cisco Technology, Inc. Method and apparatus for detecting malicious software through contextual convictions
US8600061B2 (en) * 2011-06-24 2013-12-03 Broadcom Corporation Generating secure device secret key
US9165148B2 (en) 2011-06-24 2015-10-20 Broadcom Corporation Generating secure device secret key
US20180337773A1 (en) * 2017-05-19 2018-11-22 Fujitsu Limited Communication device and communication method

Also Published As

Publication number Publication date
KR100635280B1 (en) 2006-10-19
US20060248339A1 (en) 2006-11-02

Similar Documents

Publication Publication Date Title
US7779262B2 (en) Security method using electronic signature
JP5205398B2 (en) Key authentication method
US9160530B2 (en) Method and apparatus for verifiable generation of public keys
US8744077B2 (en) Cryptographic encoding and decoding of secret data
US7353383B2 (en) System and method for single session sign-on with cryptography
US7730319B2 (en) Provisional signature schemes
US8661240B2 (en) Joint encryption of data
Camenisch Better privacy for trusted computing platforms
US8589693B2 (en) Method for two step digital signature
US20020038420A1 (en) Method for efficient public key based certification for mobile and desktop environments
US20050097316A1 (en) Digital signature method based on identification information of group members, and method of acquiring identification information of signed-group member, and digital signature system for performing digital signature based on identification information of group members
CN101931536B (en) Method for encrypting and authenticating efficient data without authentication center
JP2002534701A (en) Auto-recoverable, auto-encryptable cryptosystem using escrowed signature-only keys
JP3970243B2 (en) Cryptographic authentication method
WO2022024182A1 (en) Knowledge proof method, knowledge proof program, and information processing apparatus
US7975142B2 (en) Ring authentication method for concurrency environment
EP2974129B1 (en) Non-repudiation of electronic transactions
KR100349418B1 (en) Method for preventing abuse in blind signatures
WO2020101471A1 (en) Secure framework for transaction signing
JP2009194443A (en) Signature system and method, and computer program
TWI248744B (en) Multisignature scheme with message recovery for group authorization in mobile networks
KR20220143557A (en) Encryption device, authentication method of system including the same and method of generating signature
Lee et al. Constructing a proxy signature scheme based on existing security mechanisms
Sadeghpour Cryptanalysis of an Improvement of Robust Deniable Authentication Protocol
Chhotaray et al. A Novel Blind Signature Based Upon ECDLP

Legal Events

Date Code Title Description
AS Assignment

Owner name: SAMSUNG ELECTRONICS CO., LTD., KOREA, REPUBLIC OF

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KIM, DAE-YOUB;KIM, HWAN-JOON;SUNG, MAENG-HEE;AND OTHERS;REEL/FRAME:017829/0789

Effective date: 20060421

FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Free format text: PAYER NUMBER DE-ASSIGNED (ORIGINAL EVENT CODE: RMPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

REMI Maintenance fee reminder mailed
LAPS Lapse for failure to pay maintenance fees
STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Lapsed due to failure to pay maintenance fee

Effective date: 20140817